Think about what wasn't developed by the pros

A few years ago I was testing an e-commerce system that had just been rewritten by an outsourced vendor. I was asked to identify possible security errors in their implementation. As part of that testing, I looked at the HTML, tried some basic SQL injection, and did some URL manipulation. All the basic tests I could think of were failing. Before moving on to the big guns - setting up tools and writing some custom scripts to try different things - I decided to step back and ask some simple questions.

This site had been rewritten by a company that specialized in secure web development. Looking at the code, you could tell these guys knew there stuff. I could spend days or even weeks testing this site before I found anything. I knew that. Instead of attacking the site to get what I wanted, I asked what this outsourced team likely didn't develop. What would the company be too cheap to outsource? What would they feel like they could do themselves?

Within minutes I had a show stopper issue. I could access every item I wasn't suppose to.

The company had not outsourced the development of the search function on the site. It had been a guess. Everyone thinks they can develop a good search feature - even though few actually can. When I searched for an item to purchase, all the results came back referenced using their primary key in the database. I knew that because of the creative variable naming of "pk=". Armed with this information, I was able to do some pattern matching and noticed that the key was used in the URL in certain places. From there, I could access whatever I wanted.